Yesterday the XREX secops team noticed an AML alert — one of our users tried to withdraw funds into wallet: 1BT5vBb9WKudUAX51jiWi3pAawobD3mZwM;
Our system blocked this withdrawal due to its high CipherTrace risk score.
[Investigation Summary]
=======
Victims: 1000+ people from worldwide, scammed into making 2,079 transactions.
Scammed funds: 205.4925067 BTC (roughly $3M at writing time).
Attribution: Nigerian “Operation N-Fiverr.”
Time frame: they’ve been running multiple campaigns starting 2017 Dec.
Tool supplier: outsourced to iPongDev.Tech (also Nigerian), in PHP+Laravel.
Websites: they've worked with iPongDev.Tech to launch more than 30 different scam websites, by modifying from the same codebase.
Stolen passports and IDs: by asking victims to KYC, we believe they've stolen these victim's IDs to create KYC'ed accounts at exchanges; they use these accounts to collect defrauded funds from victims.
Wallets: a combination of own wallets, as well as compromised, KYC’ed wallets of Remitano, Gemini. We published a list of 48 wallet addresses used by this actor.
Domains and IPs: we published a list of 49 domains and 13 IP addresses used by this actor.
Investigation method: XREX obtained source code and admin panel access.
=======
[Investigation]
Having stopped our user’s withdrawal into this actor’s wallet, we started to trace back into their infrastructure. We stumbled upon a directory listing vulnerability within the actor’s infrastructure, which allowed us to obtain the source code of their attack tools:
Investigating into our obtained source code of this actor, we understood they bought their codebase from the Nigerian company iPongDev Tech. iPongDev sold codebases relating to crypto exchange, wallet, and investment. For the basic framework, they mostly used PHP and Laravel, and for k-line and other visualizations they used TradingView and coinlib.io widgets.
From this actor’s backend admin panel, we can see that their entire scam tooling is modified from a crypto investment platform sold by iPongDev Tech:
Using the backend panel, we can see the list of victims and their defrauded amounts and dates:
The profit numbers are of course fake but importantly, they do not approve withdrawals, which effectively makes this own operations a scam. While they’ve not approved a single withdrawal request, some users have sadly reached out to them via their customer support system hundreds of times. Of course, they’ve never replied.
[Money Flow]
Operation N-Fiverr’s money flow has been consistent — as soon as a victim is defrauded into transferring BTC into one of their wallets, they will immediately forward those BTC into either a) their other on-chain wallets, or b) their exchange wallets.
We’ve also found them to be directly using compromised Remitano and Gemini wallets for victim deposits.
[Attack]
Operation N-Fiverr attracts victims by pitching them various high-interest rate crypto investment platforms. By modifying from the same codebase, they've worked with iPongDev.Tech to launch more than 30 different scam websites:
In general, these fraudulent platforms offer:
Once a victim wants to withdraw funds, Operation N-Fiverr will launch a second wave of attack:
Asking the victim to further deposit 10%-20% of the earned profits prior to withdrawal, saying that this is “per company policy.”
Many victims have been defrauded into sending in more funds. Once a victim finally realizes she may never be getting her funds back, the actor cuts off all communication.
Using the particular wallet address used against our user, we were able to find the following abuse reports of Operation N-Fiverr:
[Collaboration]
XREX secops was able to block our user’s withdrawal into Operation N-Fiverr’s wallet due to AML triggers by CipherTrace; we thank them also for their strong technical support during this investigation.
This investigation is by no means complete; we’ve had very limited time but wanted to publish asap so the community can collectively blacklist this actor’s resources and mitigate this attack.
We will appreciate any help from the community; please feel free to reach us at [email protected].
[Blacklists and Blocklists]
Operation N-Fiverr domains:
Operation N-Fiverr wallets:
Operation N-Fiverr IP addresses:
IP, Country, ASN
More on investigative Crypto AML from XREX secops team: First suspicious transaction series detected
Credits: Sun Huang, Wolf Chan, Wayne Huang, Yoyo Yu @ XREX
We will appreciate any help from the community; please feel free to reach the XREX secops team at [email protected].